Академический Документы
Профессиональный Документы
Культура Документы
1. Background
1.1 Payments in the online space are facilitated by a number of intermediaries like the
payment gateways and payment aggregators. These intermediaries act as the bridge between
the providers of goods / services (merchants) and those that require them (customers). For a
successful online experience, the role of such intermediaries is crucial.
1.2 The intermediaries involved in payment collection and settlement between customers
and merchants range from banks providing payment gateway services, non-bank aggregators
of merchants and payment options / instruments, technology service providers supporting
payment gateway operations and e-commerce marketplaces.
1.3 Extant regulation in this area, albeit indirect, were issued by Reserve Bank of India
(RBI) during November 2009 which required banks to maintain a nodal account of the
intermediaries with permissible credits and debits as also the settlement cycle for credit to the
merchants. This nodal account was required to be in the form of an ‘internal account’ of the
bank.
1.4 The instructions were motivated with a view to safeguard the interests of the customers
and users and to ensure that the payments made by them using electronic / digital / online
payment modes were duly accounted for by the intermediaries receiving such payments and
transmitted to the accounts of the merchants or to similar other entities.
1.5 There have been no changes to these guidelines since its issue. Payment Systems in
India have witnessed rapid changes in the last decade. The facilitating role of innovation,
fintech, expanding e-commerce activities, etc., has contributed to the impressive growth. In
this fast-changing scenario, it is opportune to review if the extant guidelines / regulatory
prescriptions are adequate. It is also time to see if a regime of direct regulation is warranted.
1.6 In its Monetary Policy Statement for 2018-19 dated February 7, 2019, RBI had
indicated that the existing guidelines for Payment Intermediaries would be reviewed. This
discussion paper covers the various facets of the activities of the Payment Gateways and
Payment Aggregators and presents different options towards their regulation.
2.1 In an online payment transaction, the following entities / players are generally involved
– seller (merchant), customer (buyer), customer’s bank / wallet account, acquiring bank, the
bank having the nodal account, IT and communication hardware / software, middleware,
security systems, payment gateways and payment aggregators. The means opted for
payment could be a credit card, debit card, bank account, wallet, Unified Payments Interface
(UPI), etc. Depending on the payment mode used, additional players like card networks, NPCI
(National Payments Corporation of India), banks offering net-banking services, banks / non-
banks issuing wallets, etc. may be part of the payment chain.
Page 2
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
without the need for merchants to create a separate payment integration system
of their own.
2.3 Payment Gateways and Payment Aggregators may also provide services which
include generation of settlement via netting of the funds received by the merchants onboarded
by them. By being the bridge between consumers at one end and merchants at the other end,
these service providers play a role in processing and completion of the payment transactions.
They could be engaged by a bank, a merchant, or a biller (utility company, telco, etc.).
2.6 Currently most of acquiring is done by third party aggregators and technology
providers. There, entities may also provide cross border settlement services and are governed
by guidelines issued by Foreign Exchange Department (FED, RBI) on Online Payment
Gateway Service Providers (OPGSPs).
3.1 The activities of Payment Gateways and Payment Aggregators in online transactions
are extremely crucial. Entities may be a source of risk in such a technology and customer
experience intensive business if they have inadequate governance practices which may
impact customer confidence and experience.
3.2 The customer, ordinarily has very limited access to the Payment Gateways and
Payment Aggregators and must rely on merchants or banks who only can seek redress from
the Payment Aggregators. Lack of proper redress mechanism and uniformity in practice
across the entities is also a matter of concern.
3.3 It is however a fact that the present guidelines of indirect regulation of such
intermediaries (through the nodal banks) has withstood the test of time. Over the last 10 years,
no major complaints have been received on this arrangement.
Page 3
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
3.4 Furthermore, there is need for appropriate delineation of roles and responsibilities
among merchants and customers, clarity in case of routing of transactions through proper
reporting of transactions handled, etc. Being part of the payments process chain these entities
also handle sensitive customer data. Managing customer data, data privacy, Know Your
Customer (KYC) requirements of merchants are also important from the point of view of
security and customer confidence in the ecosystem.
3.5 The technology set-up of Payment Gateways and Payment Aggregators varies
amongst the entities and the architecture changes over time keeping in view their predominant
business objective including the need to provide efficient processing, seamless customer
experience, etc. They may resort to multiple integration to provide redundancy.
3.6 Leveraging their market presence, some of the e-commerce market places also offer
payment aggregation services. The primary business of these e-commerce marketplaces
does not come within the regulatory ambit of RBI and in case of regulatory prescriptions
for payment Aggregators, they would end up being subjected to dual regulation. Hence, a
separation of these two activities would entail a better regulatory approach / process.
3.7 The existing regulations are applicable to intermediaries who collect monies from
customers for payment to merchants using any electronic / online payment mode. Thus,
essentially, transactions reflecting pay-ins by the aggregators to the merchants are included
(i.e. debit transactions).
Based on the understanding of the current ecosystem, certain regulatory options and
approaches are suggested in this discussion paper for regulating the activities of Payment
Aggregators and Payment Gateways.
4.1 Option 1 : Continue with the extant instructions with minor changes in respect of
definition of ‘T’ and clarify the applicability of the guidelines.
4.2 Option 2 : Limited Regulation : The Payment Gateways and Payment Aggregators
shall follow the norms and guidelines in respect of minimum net-worth, merchant on-boarding,
timelines for settlement of funds, maintenance of escrow account, IT security, etc., and shall
be required to submit certain returns to RBI. The Payment Gateways and Payment
Aggregators to be licensed / registered in a phased manner, over a period of time. Only off-
site monitoring would be resorted to.
4.3.1 Payment Gateways and Payment Aggregators shall be authorised under the Payment
and Settlement Systems Act, 2007 (PSSA). Sufficient time, of say one year, may be given to
the existing market participants to achieve compliance with the required capitalisation norms.
They shall adhere to the regulations from the date of issue of the regulations or as specified
therein. Further, the authorised Payment Gateways and Payment Aggregators shall also, if
required, maintain the funds received from customers in an escrow account with a scheduled
commercial bank.
4.3.2 These entities shall be subjected to both on-site and off-site monitoring. A brief of
requirements under direct regulation is given below (details in Annex 1) :
Page 4
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
i. Authorisation / Licencing : The regulations would be applicable to Payment Aggregators
and Payment Gateways. Non-bank Payment Aggregators and Payment Gateways shall
require authorisation from RBI under PSSA. Entities undertaking Payment Aggregation
and Payment Gateway activity shall be a company incorporated in India under the
Companies Act, 2013. They shall be given one financial year (from date of issue of
guidelines) to comply with the entry point norms and other technology, security, storage,
etc., norms issued in this regard.
ii. Capital Requirements : Capital requirements shall have minimum net-worth as prescribed
for Bharat Bill Payment Operating Unit (BBPOUs) (currently ₹ 100 crore) to be maintained
at all times. Existing Payment Aggregators shall, within one year after the issuance of
guidelines by RBI, comply with this net-worth requirement. Entities not able to comply with
the net-worth requirement within the stipulated time frame, need not apply for
authorisation but shall wind-up payment aggregation business within one year of issuance
of guidelines.
iii. Governance : The entity shall be professionally managed where the promoters of the
company shall satisfy the fit and proper criteria prescribed by RBI. There shall be a Board
approved policy for disposal of complaints / dispute resolution mechanism / time-lines for
processing refunds, etc. Entities shall appoint a Nodal Officer responsible for regulatory
and customer grievance handling functions whose details are prominently displayed on
their website.
iv. Safeguards against Money Laundering (KYC / AML / CFT) Provisions : The Know Your
Customer (KYC) / Anti-Money Laundering (AML) / Combating Financing of Terrorism
(CFT) guidelines issued by the Department of Banking Regulation (DBR), RBI, in their
“Master Direction – Know Your Customer (KYC) Directions” updated from time to time,
shall apply mutatis mutandis to all the Payment Aggregators and Payment Gateways
along with the provisions of Prevention of Money Laundering Act, 2002 and Rules framed
thereunder, as amended from time to time.
4.3.3 As banks are already regulated entities of RBI, the Payment Gateway services
provided by them need not require a separate authorisation as these activities form part of
regular banking business. They shall, however, comply with other prescriptions regarding
time-lines, customer grievance redressal mechanism, etc. However, where the banks act as
Payment Aggregator they have to obtain authorisation under PSSA.
Page 5
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
5 Coverage of Framework
6.1 Payment Gateways and Payment Aggregators are a critical link in the transaction flow
and there is a case to regulate activities and these fall within the ambit of PSSA.
6.2 The Payment Gateway services of banks also involves activities similar to non-bank
Payment Aggregators. However, since the funds being managed on behalf of the merchants
are a part of their banking relationship and the merchants have other safety nets to have
recourse vis-à-vis the banks, their activities cannot be equated with that being done by non-
bank Payment Aggregators. There is, however, merit in banks providing Payment Gateway
services to also adhere to the minimum technical requirements.
Page 6
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
Annex 1
1 Authorisation / Licencing
1.1 The regulations would be applicable to Payment Gateways and Payment Aggregators.
1.2 Non-bank Payment Gateways and Payment Aggregators shall require authorisation
from RBI under PSSA.
1.3 Existing Payment Gateways and Payment Aggregators shall apply for authorisation;
however, they shall be given one financial year (from date of issue of guidelines) to comply
with the entry point norms and other technology, security, storage, etc. norms issued in this
regard.
1.5 Banks acting as Payment Gateways and Payment Aggregators shall obtain
authorisation / approval under PSSA along with a ‘No Objection Certificate’ from the respective
regulatory department of RBI.
1.6 Entities undertaking Payment Gateways and Payment Aggregators activity shall be a
company incorporated in India under the Companies Act, 2013.
1.7 The Memorandum of Association (MoA) of the applicant entity must cover the
proposed activity of operating as a Payment Gateway and Payment Aggregator.
1.8 Payment Gateways and Payment Aggregators shall deal with only those merchants
who have a physical presence in the country.
2 Capital Requirements
2.1 Capital requirements shall have minimum net-worth as prescribed for Bharat Bill
Payment Operating Unit (BBPOUs) to be maintained at all times (currently ₹ 100 crore).
Existing Payment Gateways and Payment Aggregators shall, within one year after the
issuance of guidelines by RBI, comply with this net-worth requirement.
2.2 Net-worth shall consist of paid up equity capital, preference shares which are
compulsorily convertible into equity capital, free reserves, balance in share premium account
and capital reserves representing surplus arising out of sale proceeds of assets but not
reserves created by revaluation of assets adjusted for accumulated loss balance, book value
of intangible assets and deferred revenue expenditure, if any. Compulsorily convertible
preference shares can be either non-cumulative or cumulative, and they should be
compulsorily convertible into equity shares and the shareholder agreements should
specifically prohibit any withdrawal of this preference capital at any time.
2.3 Entities having Foreign Direct Investment (FDI) / Foreign Portfolio Investment (FPI) /
Foreign Institutional Investment (FII) shall also meet the capital requirements as applicable
under the extant Consolidated FDI policy guidelines of Government of India.
Page 7
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
2.4 Entities not able to comply with the net-worth requirement within the stipulated time
frame, need not apply for authorisation but shall wind-up payment aggregation business within
one year of issuance of guidelines. The banks presently maintaining nodal accounts of such
entities shall have to report compliance in this regard.
3 Governance
3.1 The entity shall be professionally managed. The promoters of the company shall satisfy
the fit and proper criteria prescribed by RBI.
3.2 The agreements between aggregators, merchants, acquiring banks, and all other
stake holders shall clearly delineate the role and responsibilities of the involved parties in
sorting / handling complaints, refund / failed transactions, return policy, customer grievance
redressal (including turnaround time for resolving queries), dispute resolution mechanism,
reconciliation, etc.
3.3 The entity shall disclose comprehensive information regarding merchant policies,
pricing, customer grievances, privacy policy and other terms and conditions on the website
and / or their mobile application.
3.4 The entity shall have a Board approved policy for disposal of complaints / dispute
resolution mechanism / time-lines for processing refunds etc.
3.5 The entity shall appoint a Nodal Officer responsible for regulatory and customer
grievance handling functions. Details of the nodal officer should be prominently displayed on
their website.
4.1 The Know Your Customer (KYC) / Anti-Money Laundering (AML) / Combating
Financing of Terrorism (CFT) guidelines issued by the Department of Banking Regulation
(DBR), RBI, in their “Master Direction – Know Your Customer (KYC) Directions” updated from
time to time, shall apply mutatis mutandis to all such entities.
4.2 Provisions of Prevention of Money Laundering Act, 2002 and Rules framed
thereunder, as amended from time to time, shall also be applicable.
5 Definitions
5.1.1 The definitions considered in this discussion paper are elucidated in the Glossary
provided at the end.
6 Merchant On-boarding
6.1 The Payment Gateways and Payment Aggregators shall ensure compliance to
KYC/AML requirements while onboarding merchants. The Payment Aggregators shall
undertake background and antecedent check of the merchants, to ensure that such merchants
Page 8
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
do not have any malafide intention of duping customers, do not sell fake / counterfeit /
prohibited products, etc. The merchant’s website shall clearly indicate the terms and
conditions of the service and time-line for processing returns and refunds.
6.2 The entity shall undertake due diligence, inter-alia, through checking merchant website
for authenticity and security purposes. The approach shall not be of merely obtaining a self-
assessment / declaration from the merchant as sufficient process for onboarding a merchant.
6.3 As and when required, the entity shall demonstrate and prove that there was no
compromise in the process of due diligence. In addition, technical aspects like internet traffic,
information disclosure policy, digital footprint, privacy policy, etc., shall also be checked.
6.4 The contract signed with the merchant by the payment aggregator shall clearly indicate
that the merchant cannot act as a sub-aggregator and shall route transactions pertaining only
to his / her own business.
6.5 While on-boarding merchants, such an entity shall comply with the requirements, if
any, issued by any other regulator and / or any payment instrument provider regarding not
permitting certain businesses from accepting electronic payments.
6.6 The entity shall be responsible to check that the infrastructure of the merchant
deployed for connecting to the aggregator is PCI-DSS (Payment Card Industry-Data Security
Standard) and PA-DSS (Payment Application Data Security Standard) complaint. Merchant’s
infrastructure storing customer payment data should be PCI-DSS compliant on an on-going
basis. Merchant site should not perforce save the customer card, and such related data. The
customer should be given the consent option and the default option should be ‘NO’. If required
a security audit of the merchant may be carried out before on boarding.
6.7 The agreement with merchant shall have provision for security / privacy of customer
data. The agreement with merchants shall include compliance to PCI - DSS and incident
reporting obligations. The entity shall obtain periodic security assessment reports either based
on the risk assessment (large or small merchants) and / or at the time of renewal of contracts.
7.1 Payment Gateways and Payment Aggregators shall put in place a formal, publicly
disclosed customer grievance redressal framework and dispute management framework,
including designating a nodal officer to handle the customer complaints / grievances, the
escalation matrix and turn-around-times for complaint resolution. The complaint facility, made
available on website / mobile, shall be clearly and easily accessible.
7.2 The agreements between Payment Gateways and Payment Aggregators, merchants,
acquiring banks, and all other stake holders shall clearly delineate the role and responsibilities
in sorting / handling complaints, refund / failed transactions, return policy, customer grievance
redressal (including turnaround time for resolving queries), dispute resolution mechanism,
reconciliation, etc.
7.3 The Payment Gateways and Payment Aggregators shall disclose comprehensive
information regarding merchant policies, pricing, customer grievances, privacy policy and
other terms and conditions on the website and / or their mobile application.
7.4 The Payment Gateways and Payment Aggregators shall have a dispute resolution
mechanism binding on all the participants which shall contain transaction life cycle, detailed
explanation of types of disputes, process of dealing with them, compliance, responsibilities of
Page 9
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
all the parties, documentation, reason codes, procedure for addressing the grievance, turn-
around-time for each stage, etc.
7.5 If the goods / services are not delivered to the customer within the time-lines as
conveyed by the merchant to the customer, the Payment Gateways and Payment Aggregators
shall protect their own interest by having necessary recourse clauses in the agreements
signed and / or obtaining guarantee / funding of risk reserve by the merchant.
7.6 The customer including the merchant complaints shall be handled / disposed of by the
Payment Gateways and Payment Aggregators within such time and in such manner as
provided for in its Board approved policy, but in any case not beyond a period of 7 working
days of receipt of complaint by the Payment Aggregator.
8.1 The Payment Gateways and Payment Aggregators shall put in place adequate
information and data security infrastructure and systems for prevention and detection of
frauds.
8.2 The Payment Gateways and Payment Aggregators shall put in place Board approved
Information Security policy for the safety and security of the payment systems operated by
them, and implement security measures in accordance with this policy to mitigate identified
risks. Indicative IT security recommendations are provided in Annex 2 for adoption by the
Payment Aggregator and Payment Gateways.
8.3 The Payment Gateways and Payment Aggregators shall establish a mechanism for
monitoring, handling and follow-up of cyber security incidents and breaches. Any incident or
breach shall be reported immediately to DPSS, RBI, Central Office, Mumbai and CERT-In
(Indian Computer Emergency Response Team) as per the details notified by CERT-In.
8.4 The Payment Gateways and Payment Aggregators shall not store the customer card
credentials within their database or the servers accessed by the merchants.
8.5 The Payment Gateways and Payment Aggregators shall submit the System Audit
Report, including cyber security audit conducted by CERT-In empanelled auditors, within two
months of the close of their financial year to the respective Regional Office of DPSS, RBI.
9 Reports
10 General Instructions
10.1 The Payment Gateways and Payment Aggregators shall ensure that neither the
merchants on-boarded by them pass on MDR (Merchant Discount Rate) charges to customers
while accepting payments through debit cards nor will they separately charge customers in
lieu of MDR on debit cards. Information on other charges such as convenience fee, etc., if
any, being levied shall be displayed by the Payment Gateways and Payment Aggregators
before the payment is made by the customer.
10.2 Limits on transaction amounts for a particular payment mode shall not be placed by
Payment Gateways and Payment Aggregators. The responsibility for placing such transaction
amount limit shall lie with the issuing bank or issuing entity; for instance, the card issuing bank
shall be responsible for placing limits on cards issued by them based on the customer’s credit
worthiness, spending nature, profile, etc.
Page 10
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
10.3 The Payment Gateways and Payment Aggregators shall not invoke ATM PIN as a
factor of authentication for card not present transactions involving debit card transactions.
10.4 The Instructions on storage of payment system data as applicable to PSOs would
apply to the authorised Payment Gateways and Payment Aggregators.
Page 11
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
Annex 2
IT Security Issues
1. Security-related Recommendations
1.1. The baseline and desirable requirements for payment aggregators in respect of IT
systems and security are presented below.
(i) Information Security Governance: The entities at a minimum shall carry out
comprehensive security risk assessment of their people, IT, business process
environment to identify risk exposures with remedial measures and residual risks. These
can be internal security audit and annual security audit by an independent security auditor
or a CERT-In empanelled auditors. Reports on risk assessment, security compliance
posture, security audit reports and security incidents shall be presented to the Board.
(ii) Data Security Standards: Data security standards and best practices like PCI-DSS,
PA-DSS, latest encryption standards, Transport Channel Security etc. shall be
implemented.
(iii) Security Incident Reporting: The entities shall report security incidents / card holder
data breaches within 2-6 hours timeframe to RBI. Monthly cyber security incident reports
with root cause analysis and preventive actions undertaken shall also be submitted to
RBI.
(v) Cyber Security Audit and Reports: The entities shall carry out and submit to the IT
Committee quarterly internal and annual external audit reports; bi-annual Vulnerability
Assessment / Penetration Test (VAPT) reports; PCI-DSS including Attestation of
Compliance (AOC) and Report of Compliance (ROC) compliance report with observations
noted if any including corrective / preventive actions planned with action closure date;
Inventory of applications which stores or processes or transmits customer sensitive data;
PA-DSS compliance status of payment applications which stores or processes card
holder data.
(i) Information Security: Board approved Information security policy shall be reviewed at
least annually. The policy shall consider aspects like: alignment with business objectives;
the objectives, scope, ownership and responsibility for the policy; information security
organizational structure; information security roles and responsibilities; maintenance of
asset inventory and registers; data classifications; authorization; exceptions; knowledge
and skill sets required; periodic training and continuous professional education;
compliance review and penal measures for non-compliance of policies.
Page 12
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
exists and are implemented. The strategic plan and policy shall be reviewed annually.
The Board level IT Governance framework of Payment Aggregators shall have,
a. Involvement of Board: The major role of the Board / Top Management shall
involve approving information security policies, establishing necessary organizational
processes/ functions for information security and providing necessary resources.
b. IT Steering Committee: An IT Steering Committee shall be created with
representations from various business functions as appropriate. The Committee will
assist the Executive Management in the implementation of the IT strategy approved
by the Board. It shall have well defined objectives and actions.
c. Enterprise Information Model: The entities shall establish and maintain an
enterprise information model to enable applications development and decision-
supporting activities, consistent with board approved IT strategy. It shall facilitate
optimal creation, use and sharing of information by a business, in a way that it
maintains integrity, and is flexible, functional, timely, secure and resilient to failure
d. Cyber Crisis Management Plan: The entities shall prepare a comprehensive
Cyber Crisis Management plan and approved by IT strategic committee and shall
include components such as Detection, Containment, Response and Recovery.
(iii) Enterprise Data Dictionary: The entities shall maintain an “enterprise data dictionary”
incorporating organization’s data syntax rules. This should enable the sharing of data
among applications and systems, promote a common understanding of data among IT
and business users and preventing creation of incompatible data elements.
(iv) Risk Assessment: The risk assessment must, for each asset within its scope,
identify the threat / vulnerability combinations and likelihood of impact on confidentiality,
availability or integrity of that asset – from a business, compliance and/or contractual
perspective.
(vi) Competency of Staff: Requirements for trained resources with requisite skill
sets for the IT function need to be understood and assessed appropriately with a periodic
assessment of the training requirements for human resources.
(viii) Maturity and Roadmap: The Payment Aggregators shall consider assessing
their IT maturity level, based on well-known international standards, design an action plan
and implement the plan to reach the target maturity level.
(x) Forensic Readiness: All security events from Payment Aggregator’s infrastructure
including but not limited to application, servers, middleware, endpoint, network,
Page 13
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
authentication events, database, web services, cryptographic events and log files shall be
collected, investigated and analysed for proactive identification of security alerts.
(xi) Data Sovereignty: The Payment Aggregators shall take preventive measures
to ensure storing data in infrastructure that do not belong to external jurisdictions.
Appropriate controls shall be considered to prevent unauthorized access to the data.
Page 14
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
Annex 3
Annual
1. Audited Annual report with CA certificate on Networth – by September 30th.
2. IS Audit Report and Cyber Security Audit Report with observations noted, if any,
including corrective / preventive action planned with closure date – Externally Audited
– by May 31st.
3. Networth Certificate as on September 30th (un-audited) on self-declaration basis – by
December 31st.
Quarterly
1. Auditors’ Certificate on Escrow Balance – by 15th of the month following the quarter
end.
2. Bankers’ Certificate on Escrow Account Debits and Credits – Internally Audited – by
15th of the month following the quarter end.
3. Auditors’ Certificate on Nodal Accounts – for Marketplaces – by 15th of the month
following the quarter end.
4. Customer Grievances Report – by 15th of the month following the quarter end.
5. Cyber Security Audit Report – Internally audited – by 15th of the month following the
quarter end.
Monthly
1. Statistics of transactions handled – by 7th of next month.
2. Report on frauds – by 7th of next month.
3. Cyber Security incident reports – with root cause analysis and preventive action
undertaken – by 7th of next month.
Non-periodic
1. Technical Audit – one time; also as and when a major change is made to process flow.
2. Change in Board of Director – as and when happens.
Page 15
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
Abbreviations
BBPS Bharat Bill Payment System NACH National Automated Clearing House
BPSS Board for (Regulation and OPGSP Online Payment Gateway Service
Supervision of) Payment & Provider
Settlement Systems
FII Foreign Institutional Investment PSSA Payment & Settlement Systems Act,
2007
Page 16
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
Glossary
Bharat Bill Payment A one-stop payment platform for bills of utility agencies providing an
System (BBPS) interoperable and accessible bill payment service to all customers
across India. The system provides customers with the option to pay
any bill anytime and from anywhere.
Board for (Regulation The sub-committee of the Central Board of the Reserve Bank of
and Supervision of) India, is an apex policy making body on payment systems in the
Payment and country. The BPSS is empowered to authorize, prescribe policies
Settlement Systems and set standards for regulating and supervising the payment and
(BPSS) settlement systems in the country.
E-commerce 1 Buying and selling goods and services including digital products over
digital and electronic networks, which may have –
1
DIPP, GoI, Press Note 2 (2018 series) - DIPP (Department of Industrial Policy and Promotion), GoI
guidelines indicate that e-commerce marketplace may provide support services including for payment
collection and these may facilitate payments for sale in conformity with the guidelines of RBI.
Page 17
Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators
Payment Gateway (PG) A technology infrastructure provider to route and facilitate processing
of an online payment transaction, without any involvement in the
actual handling of funds.
Payment System (PS) A system that enables payment to be effected between a payer and
a beneficiary, involving clearing, payment or settlement service or all
of them, but does not include a stock exchange.
Payment Card Industry A set of security standards designed to ensure that all companies
- Data Security that accept, process, store or transmit card information maintain a
Standard (PCI-DSS) secure environment.
Payment Application A security standard for software vendors that develop payment
Data Security applications. The standard aims to prevent storage of prohibited
Standard (PA-DSS) secure data (CVV2, PIN magnetic stripe).
Payment and A legislation that provides for regulation and supervision of payment
Settlement Systems systems in India and designates the Reserve Bank of India as the
Act, 2007 (PSSA) authority for the purpose.
Nodal Account It is an internal account of the bank, opened for facilitating collection
of payments by intermediaries from customers of merchants.
Escrow Account Account maintained in a bank in which funds are held for specific
credits and debits.
2
Section 2 (1) (i) of PSSA
Page 18